A Chinese state-backed hacking group has relaunched cyber espionage operations against European governments after a 2-year absence, and a second, separate China-linked operation has simultaneously embedded itself deep inside global telecommunications infrastructure.
Both campaigns are running concurrently in 2025–2026, targeting different systems through different methods, but serving the same strategic objective: persistent, covert access to Western government and communications networks.
TA416: The Group, the Aliases, and the Return to Europe
TA416 is a Chinese state-backed advanced persistent threat group first identified in 2012, tracked by Proofpoint under the designation TA416 and by other security organisations under 12 additional aliases, including Mustang Panda, Twill Typhoon, RedDelta, Earth Preta, and Stately Taurus. The group targets government bodies, diplomatic missions, NGOs, think tanks, and research institutions across the US, Europe, and Asia.
TA416 was active in Europe during 2022 and 2023, coinciding with the onset of the Russia-Ukraine war. After 2023, the group shifted focus to Southeast Asia, Taiwan, and Mongolia for approximately 2 years.
Proofpoint researchers Mark Kelly and Georgi Mladenov confirmed the group’s return to European targeting began in mid-2025, timed precisely to a specific sequence of geopolitical events.
Why Europe, Why Now: 3 Geopolitical Triggers
TA416’s campaign restarts follow a consistent pattern: geopolitical tension precedes targeting shifts by weeks, not months. The 2025–2026 European campaign follows 3 simultaneous EU-China pressure points:
- EU-China trade tensions: Escalating disputes over tariffs and market access following the 25th EU-China Summit, which immediately preceded TA416’s European campaign restart
- Russia-Ukraine war positioning: China’s continued strategic ambiguity over Russia’s invasion is creating intelligence demand around European NATO member positions and diplomatic communications
- Rare earths export restrictions: China’s leverage over critical mineral supply chains, generating European policy responses that Beijing sought to monitor at the diplomatic level
In March 2026, TA416 expanded targeting to Middle Eastern government and diplomatic entities following the outbreak of conflict in Iran. A geographic move the group had never previously made, confirming that active conflict zones now trigger immediate targeting expansion.
How TA416 Actually Operates: 3 Infection Chain Phases
TA416’s core objective across all campaigns is loading its customised PlugX backdoor onto target systems. PlugX is a remote access trojan that gives operators persistent, covert control over infected machines, enabling file exfiltration, keystroke logging, remote command execution, and lateral movement across connected government networks.
The group altered its infection delivery method 3 times between September 2025 and February 2026 to evade detection.
Phase 1 (September 2025–January 2026): Spoofed Cloudflare Turnstile challenge pages gated access to malicious ZIP archives, tricking targets into completing what appeared to be a standard bot-verification step before downloading the payload.
Phase 2 (December 2025–January 2026): Microsoft Entra ID third-party OAuth applications redirected users from legitimate authentication flows to attacker-controlled malware delivery domains, exploiting trusted identity infrastructure to bypass security controls.
Phase 3 (February 2026–present): Malicious archives containing a renamed Microsoft MSBuild executable and C# project files replaced earlier methods, a shift to developer toolchain abuse that evades endpoint detection tools trained on previous TA416 signatures.
Before escalating to malware delivery, TA416 conducted email reconnaissance using tracking pixels, 1×1 invisible images embedded in phishing emails that fire an HTTP request when opened, revealing the recipient’s IP address, device type, and exact access time. This 2-step approach confirmed active diplomatic targets before committing malware resources to the operation. Lure topics included Europe sending troops to Greenland, humanitarian concerns, interview requests, and collaboration proposals.
The Second Operation: China-Linked Hackers Inside Telecom Backbone Infrastructure
Separately from TA416’s diplomatic targeting, Rapid7 has documented a China-linked but unattributed threat actor that has deployed kernel-level implants and passive backdoors deep inside telecommunications backbone infrastructure worldwide.
This campaign uses BPFdoor, a Linux kernel backdoor first detailed in 2021, that sits completely dormant inside the kernel, generating no outbound traffic and opening no listening ports until triggered by a specific magic byte sequence embedded in crafted network packets. Standard network monitoring tools do not detect it.
The actors targeted Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks appliances for initial access, then deployed CrossC2 beacon frameworks and TinyShell passive backdoors for persistence. In 2024, Salt Typhoon, a separate Chinese state-sponsored group, hacked 9 US telecom firms using comparable infrastructure access methods. Volt Typhoon’s pre-positioning across US critical infrastructure was confirmed by CISA the same year.
The 2025–2026 telecom campaign represents a continuation of this sustained, multi-year effort to embed persistent access inside the communications infrastructure that government networks depend on.
4 Defensive Actions Security Teams Must Take Now
- Audit all third-party OAuth applications in Microsoft Entra ID and equivalent identity platforms, and remove any applications without documented business justification, as TA416 abuses legitimate OAuth flows for malware redirection.
- Run Rapid7’s BPFdoor scanner on all Linux systems in telecom and government network environments. BPFdoor is invisible to standard monitoring but detectable with purpose-built scanning tools that Rapid7 has released publicly.
- Implement domain reputation filtering with re-registration age thresholds. TA416 consistently uses newly re-registered formerly legitimate domains, making domain age a high-confidence detection signal.
- Establish network traffic baselines on kernel-level processes. BPFdoor’s dormancy makes anomaly detection on outbound traffic insufficient; kernel integrity monitoring is required to surface implants before they activate.
Final Thoughts
China’s cyber operations in 2025–2026 are not opportunistic. They are scheduled. TA416 restarts European campaigns when EU-China summits occur. It expands to new regions within weeks of conflicts breaking out. A separate operation sits silently inside telecom infrastructure, waiting.
The pattern is not one of hacking. It is one of permanent positioning, building access layers into the systems that governments, diplomats, and communications networks depend on, then waiting for the moment that intelligence becomes valuable.
By the time most organisations discover these implants, the access has existed for months. The question security teams should be asking is not whether they have been targeted. It is how long the access has already been there.
Cybersecurity threats, digital policy, and the technology decisions shaping national and organisational security. Our newsletter covers what matters, before it becomes a crisis. Subscribe and stay informed.
